[aur-general] [REVIEW REQUEST] python-viivakoodi

Quentin Bourgeois quentin at bourgeois.eu
Sun Nov 27 15:30:10 UTC 2016


On 16-11-26 19:27:37, Eli Schwartz via aur-general wrote:
> On 11/26/2016 01:01 AM, Florian Bruhin wrote:
> >>   * Upstream does not provide any GPG signature of the tarballs nor
> >>   commit signature. I've chosen to provide a detached GPG signature
> >>   of the downloaded tarball with my GPG key. For me, its better to
> >>   have this link-ability between the package maintainer and the
> >>   downloaded tarball than nothing at all.
> > 
> > Not sure if that makes much sense, and FWIW I've had some issues with
> > people not being able to install AUR packages with PGP keys. I don't
> > recall exactly what the problem was though...
> 
> This. GPG signatures are meant to prove that upstream really released
> it, but if all you know is that the AUR maintainer *thinks* this is the
> upstream release, you might as well just stick with checksums, which
> will serve just as well to prove the source code is the same source code
> the AUR maintainer used.
> 
> Anyone who can defeat the checksum (by modifying your PKGBUILD) can also
> defeat your own GPG key.
> 
You are right I have remove this, my first goals was to sign my
PKGBUILD file I don't think its possible ?

On 16-11-26 07:01:15, Florian Bruhin wrote:
> > optdepends=('inkscape: tools for manipulating vector objects (eg: SVG files)')
>
> You'd usually put an explanation when/why inkscape is needed here.
>
Inkscape (or any other tool for SVG handling) is needed if one would
like to see the result of generated document in SVG format. As there
could be a long list I am not sure if such dependencies should be put
into PKGBUILD, even in optdepends ?

> >     if [ -f LICENSE ]; then
> >         install -Dm0644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
> >         install -Dm0644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE.launcher"
> >     else
> >         warning "license file not found"
> >     fi
>
> Why would it ever not exist?
I add this check in case upstream change for any reason and not break
the build process. The warning should be enough to let me investigate.
I generally don't perform operation on resource that could not be
present, I just applied this here too.

Thanks for your feedback, I have updated the PKGBUILD[0].

[0] https://git.bourgeois.eu/aur_python_viivakoodi.git/tree/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161127/e8af9c8f/attachment.asc>


More information about the aur-general mailing list